refactor(userspace/engine): remove Lua from Falco and re-implement the rule loader #1966
Conversation
…yaml Signed-off-by: Jason Dellaluce <[email protected]>
…ions Signed-off-by: Jason Dellaluce <[email protected]>
…ning common static utilities Signed-off-by: Jason Dellaluce <[email protected]>
…o_utils The function implementation was removed, however it was still defined in the .h header. Moreover, this will now be required in order to replace its lua equivalent. Signed-off-by: Jason Dellaluce <[email protected]>
…er to support shared_ptrs This change allows working with safety with AST nodes wrapped into shared pointers. Signed-off-by: Jason Dellaluce <[email protected]>
…-based O(1) access in vectors Signed-off-by: Jason Dellaluce <[email protected]>
…tions Signed-off-by: Jason Dellaluce <[email protected]>
This is a porting of what we had inside the Lua codebase. This now handles the single responsibility of gathering stats about rule-event matching, and of formatting them to print them to the user. Signed-off-by: Jason Dellaluce <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>
There was a problem hiding this comment.
Thank you for tackling this!
I think the biggest feedback is to consider more strongly separating the yaml parsing from the other actions that work on rule/macro/etc objects, like expanding macros/lists, assembling exceptions, parsing conditions, checking for compatible sources, etc. I think it would result in something where we could swap out the yaml library if we wanted to (most important if we can find one that preserves wrapping/line numbers for context reporting).
It also avoids the ugly-looking .as<type>s which are all over.
userspace/engine/rule_loader.cpp
Outdated
| } | ||
|
|
||
| // todo(jasondellaluce): this breaks string escaping in lists | ||
| static bool resolve_list(string& cnd, YAML::Node& list) |
There was a problem hiding this comment.
I wonder if we should try to separate the yaml parsing from the rest of the rule loading more strongly. For example, you could define objects for rules, macros, lists, etc and have functions like this work on those types instead of YAML::Nodes. Might result in slightly cleaner access (all the list["list"].as<string>s would become list.name() or similar). It would also allow future code to work on the objects in the file without having to know what yaml library is being used to represent them.
|
Thanks for the great feedback Mark! I agree with you that we must create some separation between YAML parsing and rules building. Fun fact, this is also the approach I was undertaking when first implementing this (by also splitting the responsibilities between different classes). The downside of this is that this PR is already "bulky" enough with the single scope of porting the rule loader from Lua to C++, and I quickly realized that it would be impossible to review this PR to spot potential regressions if I went on for that route. Overall, the goal of this PR is to remove Lua from the codebase and port the rule loader as a 1:1 copy of what we had before. Refactoring the rule loader logic to a more modular design is a must-do IMHO, but I think this should be the goal of a successive PR once we are confident with the changes of this one. WDYT? cc @leogr |
|
This PR is already ok for me. I will just have a second look. I agree with Jason to improve the implementation in subsequent PRs and not directly here. It will be easier to review the code change. 👍 |
…and rule loader Signed-off-by: Jason Dellaluce <[email protected]>
jasondellaluce
force-pushed
the
refactor/rule-loader
branch
from
3914546
to
04a538c
Compare
Signed-off-by: Jason Dellaluce <[email protected]>
jasondellaluce
force-pushed
the
refactor/rule-loader
branch
from
8e56eec
to
29092ca
Compare
jasondellaluce
changed the title
|
/milestone 0.32.0 |
|
LGTM label has been added. Git tree hash: 7694234af3185193ddf3e662c040374c99bb027a
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jasondellaluce, leogr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support. Signed-off-by: Mark Stemm <[email protected]>
The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support. Signed-off-by: Mark Stemm <[email protected]>
The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support. Signed-off-by: Mark Stemm <[email protected]>
…ules APIs The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support.
…ules APIs The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support.
…ules APIs The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support.
The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support. Signed-off-by: Mark Stemm <[email protected]>
The only use of it was to include in --support output, which is redundant as the support output already includes the full contents of each rules file. Additionally, it wasn't even being updated after the switch from lua rules loading to c++ rules loading (#1966 or surrounding PRs). This will simplify follow-on changes to add a real "result" to rules loading methods, as there will be fewer API variants to support. Signed-off-by: Mark Stemm <[email protected]>
What type of PR is this?
/kind bug
/kind cleanup
/kind design
Any specific area of the project related to this PR?
/area build
/area engine
What this PR does / why we need it:
This PR follows up the recent refactoring of falcosecurity/libs#217 and #1947 with the end goal of having a single language parser inside Falco and libsinsp written in C++. Currently, Falco successfully uses the new language parser and compiler introduced in libsinsp. The only missing piece in the puzzle is to port the last portion of Lua code into C++, which right now represents the YAML ruleset file loading and runtime stats counting.
The contributions of this PR are:
chisels,luajit,lyaml,libyamlSince this work is big and non-trivial, the end goal of this is to not introduce any breaking change. As such, the rule loader re-implementation is a 1:1 porting of the legacy one written in Lua. The only divergences involve fixing a couple of high-level bugs and an improved codebase management. This is also the reason why the rule loader is implemented as a single class.
Goals:
Non-goals:
Which issue(s) this PR fixes:
Fixing bugs is not a goal of this PR, but after some testing I realized that the following have been solved:
Fixes #706
Fixes #1890
Fixes #1785
Special notes for your reviewer:
Considering how sticky the whole Lua codebase were, I could not find a way to break down this contribution in multiple PRs. Although the number of LOC is high, I've put special attention in developing the new rule loader as a ~1:1 of the existing one written in Lua. In that way, a reviewer could follow the code flow of the two versions, and easily understand if there is any point of divergence. Additionally, I spent quite some time reproducing error codes and behaviors as the one expected by the integration tests. Having the automatic testing passing this PR is a good helper and indicator of the correctness of the implementation. Do not esitate to contact me for further discussions or questions, either here below or through PM/email.
Does this PR introduce a user-facing change?: